cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r838991 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-oauth2.html
Date Wed, 21 Nov 2012 10:48:01 GMT
Author: buildbot
Date: Wed Nov 21 10:48:01 2012
New Revision: 838991

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-oauth2.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-oauth2.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-oauth2.html (original)
+++ websites/production/cxf/content/docs/jax-rs-oauth2.html Wed Nov 21 10:48:01 2012
@@ -125,19 +125,19 @@ Apache CXF -- JAX-RS OAuth2
 
 
 <div>
-<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-MAC">MAC</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing OAuthDataProvider</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth Server JAX-RS endpoints</a></li></ul><l
 i><a shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User Session Authenticity</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting resources
with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side
support</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2withouttheExplicitAuthorization">OAuth2
without the Explicit Authorization</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth
Without a Browser</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting
error details</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design
considerations</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling
the Access to Resource Server</a></li><ul><li><a shape="rect" href="#JA
 X-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing the same access
path between end users and clients</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing
different access points to end users and clients</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WhatIsNext">What Is Next</a></li></ul></div>
+<ul><li><a shape="rect" href="#JAX-RSOAuth2-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Mavendependencies">Maven dependencies</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-DevelopingOAuth2Servers">Developing OAuth2 Servers</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationService">Authorization Service</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenService">AccessTokenService</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AccessTokenTypes">Access Token Types</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-Bearer">Bearer</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-MAC">MAC</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-AccessTokenValidationService">AccessTokenValidationService</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-SupportedGrants">Supported Grants</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-AuthorizationCode">Authorization Code</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-
 Implicit">Implicit</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ClientCredentials">Client
Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ResourceOwnerPasswordCredentials">Resource
Owner Password Credentials</a></li><li><a shape="rect" href="#JAX-RSOAuth2-RefreshToken">Refresh
Token</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-WritingOAuthDataProvider">Writing
OAuthDataProvider</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuthServerJAXRSendpoints">OAuth
Server JAX-RS endpoints</a></li></ul><li><a shape="rect" href="#JAX-RSOAuth2-UserSessionAuthenticity">User
Session Authenticity</a></li><li><a shape="rect" href="#JAX-RSOAuth2-ProtectingresourceswithOAuthfilters">Protecting
resources with OAuth filters</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Howtogettheuserloginname">How
to get the user login name</a></li><li><a shape="rect" href="#JAX-RSOAuth2-Clientsidesupport">Client-side
support</a></li><li><a shape="rect" href="#JAX-RSOAuth2-OAuth2witho
 uttheExplicitAuthorization">OAuth2 without the Explicit Authorization</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-OAuthWithoutaBrowser">OAuth Without a Browser</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Reportingerrordetails">Reporting error details</a></li><li><a
shape="rect" href="#JAX-RSOAuth2-Designconsiderations">Design considerations</a></li><ul><li><a
shape="rect" href="#JAX-RSOAuth2-ControllingtheAccesstoResourceServer">Controlling the
Access to Resource Server</a></li><ul><li><a shape="rect" href="#JAX-RSOAuth2-Sharingthesameaccesspathbetweenendusersandclients">Sharing
the same access path between end users and clients</a></li><li><a shape="rect"
href="#JAX-RSOAuth2-Providingdifferentaccesspointstoendusersandclients">Providing different
access points to end users and clients</a></li></ul><li><a shape="rect"
href="#JAX-RSOAuth2-SingleSignOn">Single Sign On</a></li></ul><li><a
shape="rect" href="#JAX-RSOAuth2-WhatIsNext">What Is Next</a></li></ul></div>
 
 <h1><a shape="rect" name="JAX-RSOAuth2-Introduction"></a>Introduction</h1>
 
 <p>CXF 2.6.0 provides an initial implementation of <a shape="rect" class="external-link"
href="http://tools.ietf.org/html/draft-ietf-oauth-v2" rel="nofollow">OAuth 2.0</a>.
See also the <a shape="rect" href="jax-rs-oauth.html" title="JAX-RS OAuth">JAX-RS OAuth</a>
page for information about OAuth 1.0.</p>
 
-<p>Authorization Code, Implicit, Client Credentials and Resource Owner Password Credentials
grants are currently supported with other grant handlers to be added later.</p>
+<p>Authorization Code, Implicit, Client Credentials, Resource Owner Password Credentials
and Refresh Token grants are currently supported with other grant handlers to be added later.</p>
 
 <p>Custom grant handlers can be registered.</p>
 
 <p>OAuth2 is a new protocol which offers a complex yet elegant solution toward helping
end users (resource owners) authorize third-party providers to access their resources.</p>
 
-<p>The OAuth2 flow is closely related to the original OAuth 1.0 3-leg flow is called
Authorization Code and involves 3 parties: the end user, the third party service (client)
and the resource server which is protected by OAuth2 filters. Typically a client offers a
service feature that an end user requests and which requires the former to access one or more
protected resources on behalf of this user which are located at the resource server. For example,
the client may need to access the end user's photos in order to print them and post to the
user or read and possibly update a user's calendar in order to make a booking.</p>
+<p>The OAuth2 flow which is closely related to the original OAuth 1.0 3-leg flow is
called Authorization Code and involves 3 parties: the end user, the third party service (client)
and the resource server which is protected by OAuth2 filters. Typically a client offers a
service feature that an end user requests and which requires the former to access one or more
protected resources on behalf of this user which are located at the resource server. For example,
the client may need to access the end user's photos in order to print them and post to the
user or read and possibly update a user's calendar in order to make a booking.</p>
 
 <p>In order to make it happen, the third-party service application/client needs to
register itself with the OAuth2 server. This happens out-of-band and after the registration
the client gets back a client key and secret pair. Typically the client is expected to provide
the name and description of the application, the application logo URI, one or more redirect
URIs, and other information that may help the OAuth2 authorization server to identify this
client to the end user at the authorization time.  </p>
 
@@ -269,7 +269,7 @@ INFO: updateCalendar-7_status=allow&amp;
 </pre>
 </div></div> 
 
-<p>AuthorizationCodeGrantService will use a session_authenticity_token to validate
that the session is valid and will process the user decision next. </p>
+<p>AuthorizationCodeGrantService will use a 'session_authenticity_token' to validate
that the session is valid and will process the user decision next. </p>
 
 <p>If the decision is "allow" then it will check the status of the individual scope
values. It relies on the "scopename_status" convention, if the form has offered the user a
chance to selectively enable individual scopes then name/value pairs such as "updateCalendar-7_status=allow"
are submitted. If none of such pairs is coming back then it means the user has approved all
the default and additional (if any) scopes.</p>
 
@@ -501,6 +501,41 @@ Authorization: MAC id=<span class="code-
 <h3><a shape="rect" name="JAX-RSOAuth2-AccessTokenValidationService"></a>AccessTokenValidationService
</h3>
 <p>The  <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AccessTokenValidationService.java">AccessTokenValidationService</a>
is a CXF specific OAuth2 service for accepting the remote access token validation requests.
Typically, OAuthRequestFilter (see on it below) may choose to impersonate itself as a third-party
client and will ask AccessTokenValidationService to return the information relevant to the
current access token, before setting up a security context. More on it below.</p>
 
+<h2><a shape="rect" name="JAX-RSOAuth2-SupportedGrants"></a>Supported Grants</h2>
+
+<h3><a shape="rect" name="JAX-RSOAuth2-AuthorizationCode"></a>Authorization
Code</h3>
+
+<p>As described above, <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/AuthorizationCodeGrantService.java">AuthorizationCodeGrantService</a>
service and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Authorization Code flow. </p>
+
+<p>The code that the client receives in the end of the redirection process will need
to be exchanged for a new access token with AccessTokenService.</p>
+
+
+<h3><a shape="rect" name="JAX-RSOAuth2-Implicit"></a>Implicit</h3>
+
+<p>Implicit grant is supported the same way Authorization Code grant is except that
the response to the client running within a web browser is formatted differently, using URI
fragments.</p>
+
+<p><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/services/ImplicitGrantService.java">ImplicitGrantService</a>
service and <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/code/AuthorizationCodeDataProvider.java">AuthorizationCodeDataProvider</a>
data provider can support a redirection-based Implicit flow. </p>
+
+<p>Note the only difference is the use of ImplicitGrantService instead of AuthorizationCodeGrantService.</p>
+
+<p>Also note that when an Implicit grant client (running within a browser) replaces
the code grant for a new access token and tries to access the end user's resource, Cross Origin
Resource Sharing (CORS) support will most likely need to be enabled on the end user's resource
server.<br clear="none">
+The simplest approach is to register a CXF <a shape="rect" href="http://cxf.apache.org/docs/jax-rs-cors.html">CORS
filter</a>, right before OAuth2 filter (see on it below).</p>
+
+<h3><a shape="rect" name="JAX-RSOAuth2-ClientCredentials"></a>Client Credentials</h3>
+
+<p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/clientcred/ClientCredentialsGrantHandler.java">ClientCredentialsGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p>
+
+<h3><a shape="rect" name="JAX-RSOAuth2-ResourceOwnerPasswordCredentials"></a>Resource
Owner Password Credentials</h3>
+
+<p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/owner/ResourceOwnerGrantHandler.java">ResourceOwnerGrantHandler</a>
handler with AccessTokenService for this grant be supported.</p>
+
+<h3><a shape="rect" name="JAX-RSOAuth2-RefreshToken"></a>Refresh Token</h3>
+
+<p>The client can issue a refresh token grant if the current access token it owns has
expired or been revoked and the refresh token was issued alongside with the access token which
is now invalid and get the new, 'refreshed' access token. This can allow the client to avoid
seeking a new authorization approval from the end user.</p>
+
+<p>Register <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/grants/refresh/RefreshTokenGrantHandler.java">RefreshTokenGrantHandler</a>
handler with AccessTokenService for this grant be supported. Note this grant handler is only
useful for refreshing the existing access token, so one or more of the other grant handlers
(Authorization Code, Implicit, etc) will also have to be registered with AccessTokenService.</p>
+
+
 <h2><a shape="rect" name="JAX-RSOAuth2-WritingOAuthDataProvider"></a>Writing
OAuthDataProvider</h2>
 
 <p>Using CXF OAuth service implementations will help a lot with setting up an OAuth
server. As you can see from the above sections, these services rely on a custom <a shape="rect"
class="external-link" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/OAuthDataProvider.java">OAuthDataProvider</a>
implementation.</p>



Mime
View raw message